It's not a secret anymore!*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Difference between empty auth-constraint and no auth-constraint. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Difference between empty auth-constraint and no auth-constraint." Watch "Difference between empty auth-constraint and no auth-constraint." New topic
Author

Difference between empty auth-constraint and no auth-constraint.

Sanjeev Ba
Ranch Hand

Joined: Dec 31, 2006
Posts: 40

Hello Ranchers,
I wanted to know the effect of having two sercurity-constraint elements in the DD one with an empty <auth-constraint/> = allowing no one and the other with no auth-constraint element.

Is the result, allow everyone or allow no one? Which one takes precedence.

Also, I observed that there is some issue with the evaluation part of Whizlabs simulator. I does not exactly calculate the number of right answers properly. Has anyone else faced the same issue? I am using the trial version.

Thanks and Regards
Sanjeev
Gowher Naik
Ranch Hand

Joined: Feb 07, 2005
Posts: 643
I tried <auth-constraint/> and no auth-constraint and i found it allows everyone.
Niranjan Deshpande
Ranch Hand

Joined: Oct 16, 2005
Posts: 1277
empoty <auth-constraint/> - NO one is allowed

no auth-constraint - every one is allowed, its same as
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>


SCJP 1.4 - 95% [ My Story ] - SCWCD 1.4 - 91% [ My Story ]
Performance is a compulsion, not a option, if my existence is to be justified.
Sanjeev Ba
Ranch Hand

Joined: Dec 31, 2006
Posts: 40

Thanks Gowher for quickly testing it out.

Regards
Sanjeev
Sayak Banerjee
Ranch Hand

Joined: Nov 28, 2006
Posts: 292
I tried <auth-constraint/> and no auth-constraint and i found it allows everyone.

Well, that's not possible.....could you please post the code for the DD?

<auth-constraint/> means no access to no one.


Also,

no auth-constraint - every one is allowed, its same as
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

<auth-constraint> element missing is not exactly the same as
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>

Though everyone is allowed in both cases, the former one allows unauthenticated access
[ January 02, 2007: Message edited by: Sayak Banerjee ]

Turn on, tune in, drop out.
Gowher Naik
Ranch Hand

Joined: Feb 07, 2005
Posts: 643
[code]
<web-app...>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>tomcat</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureWebResource</web-resource-name>
<http-method>GET</http-method>
<http-method>POST</http-method>
<url-pattern>/start.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureWebResource</web-resource-name>
<http-method>GET</http-method>
<http-method>POST</http-method>
<url-pattern>/start.jsp</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

</web-app>
The above code from DD allows both admin and tomcat users.
Gowher Naik
Ranch Hand

Joined: Feb 07, 2005
Posts: 643

Above code allows both tomcat and admin users.
Sayak Banerjee
Ranch Hand

Joined: Nov 28, 2006
Posts: 292
There you go man.....I was pretty sure that you were combining constraints.....The information that I provided was about a single <security-constraint> element in the DD....

Tomcat 5.0.X does not strictly adhere to the spec. as far as combining <security-constraint> elements are concerned.....I dunno if they've corrected it in version 5.5.X but I had the same problem when using version 5.0.28....You can check this ISSUES WHEN COMBINING CONSTRAINTS
Sayak Banerjee
Ranch Hand

Joined: Nov 28, 2006
Posts: 292
As for the question originally asked by Sanjeeva,
Hello Ranchers,
I wanted to know the effect of having two sercurity-constraint elements in the DD one with an empty <auth-constraint/> = allowing no one and the other with no auth-constraint element.

Is the result, allow everyone or allow no one? Which one takes precedence.


Answer is (according to the spec.) : - No access to no one
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9344
    
    2

Sayak,

How come <auth-constraint/> and no auth-constraint will give access to no one?? I feel that it will give access to everyone. The no auth-constraint overrides <auth-constraint/>. Can anyone please give me the spec reference here?? Please!


SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Gowher Naik
Ranch Hand

Joined: Feb 07, 2005
Posts: 643

From above specification i think no one will be allowed.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9344
    
    2

Gowher,

Your replies contradicts...

Your pfirst post says "I tried <auth-constraint/> and no auth-constraint and i found it allows everyone."

and

The above one says, from the servlet spec that no one is allowed. So servlet spec is the final and no one will be allowed is the conclusion for the above original question by Sanjeev.

Thanks ranchers.
Gowher Naik
Ranch Hand

Joined: Feb 07, 2005
Posts: 643
This problem has occured before also
Check this PostSecurity
So i will go with specification.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Difference between empty auth-constraint and no auth-constraint.
 
Similar Threads
Mock question about <auth-constraint>
security-constraint
Question about Dueling auth-constraint elements
Doubt in Security contraints
web app security - Dueling auth-constraint elements